feat(package): provenance support

[sambacha]

Support Provenance Statement

A provenance statement is displayed in a packages' registry page, as shown here:

For more information regarding provenance statements and the requirements as defined by npmjs, see https://docs.npmjs.com/generating-provenance-statements#prerequisites

The id-token permission is required to publish to SigStore via OpenID Connect. You can read more about GitHub's attestation program here: https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds

GitHub Action CI Support

You can use PNPM, just be sure to use the latest npm client for the actual publishing part of the release process. Yarn is not supported.

jobs:
  build:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
    steps:
      - uses: actions/checkout@v3
# 
#
+      - run: npm publish --access public
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+          NPM_CONFIG_PROVENANCE: true

Scoped Publishing

Seeing as Hardhat is not scoped under the @NomicFoundation org, packages that are scoped should adjust their configuration in the manifest:

"publishConfig": {
  "@nomicfoundation:registry": "https://registry.npmjs.org",
  "provenance": true
  }

npm audit signatures

Example response showing the count of verified registry signatures and verified attestations for all of the packages in a project:

audited 1267 packages in 6s

1267 packages have verified registry signatures

74 packages have verified attestations
```

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4c14284

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
hardhat	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 25, 2024 11:10pm

[alcuadrado]

We'll do our next release with our usual process, and I'll get this merged before the next one.

[kanej]

Hey @sambacha thanks for the PR. We are going to hold on provenance for the moment. It means fully automating our deployments, which is a larger task.
We are going to move to fully automated deployments for the v-next branch as a first step and roll that out along with provenance as part of v3.